How to Install CHKROOTKIT on Ubuntu 18.04/Centos 7

In this article, I'll explain how to install chkrootkit on our latest Ubuntu 18.04 and CentOS 7 systems. The chkrootkit is a common security scanner which helps the administrators to search the local system for signs that it is infected with a 'rootkit'. A rootkit can be considered as a malicious program which can take control over a computer system without the computer system user knowing about it. This means that the rootkit is capable of executing files and changing system configurations on the target machine and many more which can be done only as the super user of the Linux machine.

Please keep in mind that you can use chkrootkit to find the files and processes associated with a rootkit, but you can’t be 100% sure that all pieces of rootkits are found and removed. You can safeguard your system from rootkits by ensuring that all applications and software are up-to-date and the system kept patched against all known vulnerabilities.

Installing chkrootkit on Ubuntu 18.04

It's a pretty much easier to install chkrootkit on an Ubuntu 18.04 Server as it's available in the Ubuntu repository packages itself. We can install it by running the command below:

We just need to make sure that we have the root privileges to use chkrootkit there.

Enable Automatic Server Scanning

chkrootkit package in the Ubuntu repository comes with a crontab configuration. This crontab is scheduled to run daily. To enabled the daily check you can open /etc/chkrootkit.conf and modify this file as below:

Replace the first line:

RUN_DAILY="false"

with

RUN_DAILY="true"

Installing chkrootkit on CentOS 7.5

This tool is not available in the CentOS repository packages. Hence, we need to download the latest available version and configure it.

1. Installing the C/C++ Compilers and libraries

Chkrootkit has C programs. You need to install the GCC (C and C++ Compiler) and glibc-static package before compiling the chkrootkit source package to avoid any errors during the process.

#yum update
#yum install wget gcc-c++ glibc-static

2. Download the latest available chkrootkit.

As mentioned before, you can download the latest chkrootkit download from the chkrootkit website.

# wget -c ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz

3. Download the package md5 hash file

Next, we can download the md5 hash file associated with our chkrootkit download to verify whether it's not tampered or corrupted.

4. Extract the compressed file and install it.

Now you can move to the downloaded folder and extract it. You can either extract it on the same path and move the chkrootkit binary to the /usr/bin folder or you can move the extracted contents to a separate folder by that name as described here and install it. Either way will work.

You can also install other security scanners like rkhunter on your system for better security.

Understanding chkrootkit

Chkrootkit is a tool to perform rootkit checks. This most importantly contains a shell script called chkrootkit which scans all system binaries for any rootkit modifications. Additionally, it contains several C programs which performs various security checks as below:

ifpromisc.c: This checks if the network interface is in promiscuous mode.

chklastlog.c: This checks for lastlog deletions.

chkwtmp.c: This checks for wtmp deletions.

chkproc.c: This checks for signs of LKM trojans.

chkdirs.c: This checks for signs of LKM trojans.

strings.c: This performs quick and dirty strings replacement.

chkutmp.c: This checks for utmp deletions.

Usage

The simplest way to run this tool is by using the command "chkrootkit" as root. This will perform all tasks. But if you want to choose any particular options while running this command, you have various options as listed below:

# chkrootkit -r /mnt/ ; This will check all files under this specified directory.

-p dir1:dir2:dirN: You can possibly add more binary paths separating with a colon using this option.

# ./chkrootkit -p /cdrom/bin:/floppy/mybin

-n: skip NFS mounted dirs

Nowadays, we have our systems connected across various networks through the internet, hence the importance of monitoring our servers from any suspicious attacks or intrusion is much needed. Chkrootkit is a simple tool which performs a regular security check and secures our servers from any kind of intrusions. Please leave your comments on this article.

Saheetha Shameer12:05 am

SHARE ON

About Saheetha Shameer

Self-motivated and dedicated Linux Administrator having 10 years of working experience on various web-hosting control panels and Unix distributions. I'm a quick learner and have a slight inclination towards following the current and emerging trends in the industry. I'm passionate about testing/reviewing new Linux applications and open source tools.

Hand-picked related articles

While searching for text in files inside a directory structure from command prompt/shell, there are many tools available in linux. The one of the tool which is oldest and widely used is grep that stands for global regular expression print. [...]

In this guide, we will show you how you can easily check which version of Ubuntu you have on your system. There are 2 main ways you can achieve this Using the Terminal Using the GUI So let's dive in [...]

Hello penguins, on this article we are going to learn to hunt rootkits with Rootkit Hunter, among other threats, you will be able to use it to find signs of some variants of the XOR.DDoS malware, that is currently being [...]